b"     MANAGEMENT ADVISORY REPORT\n\n\n\nCloud Computing Contract\nClauses\n  April 30, 2014\n\n\n\n\n                   Report Number SM-MA-14-005\n\x0c                                                                     HIGHLIGHTS\n\n                                                                      April 30, 2014\n                                                 Cloud Computing Contract Clauses\n                                                       Report Number SM-MA-14-005\n\nBACKGROUND:                                  WHAT THE OIG FOUND:\nCloud computing uses remote servers          The 13 cloud computing contracts did\non the Internet to manage, store, and        not address information accessibility\nprocess data. Using cloud computing          and data security for network access\nreduces costs while increasing the           and server locations because the\nefficiency of services; however, it also     Information Security handbook in effect\nhas risks associated with data leaks and     at the time of the contract award did not\nloss of public trust. U.S. Postal Service    include these requirements. In addition,\nSupply Management (Technology                the Postal Service exempted a supplier\nInfrastructure Portfolio) contracting        from following the handbook for one\nofficials awarded 13 contracts totaling      contract that did not contain sensitive\nabout $303 million for cloud computing       data. Although the data may not be\nservices from fiscal years 2007 to 2013.     sensitive, the handbook provides\nThe Postal Service\xe2\x80\x99s Information             additional requirements such as\nSecurity handbook of 2002 was in effect      insurance against losses resulting from\nwhen officials awarded these contracts.      data breaches and procedures for timely\n                                             notification of these breaches.\nThe Council of Inspectors General on\nIntegrity and Efficiency issued a            The Postal Service\xe2\x80\x99s Cloud Security\nmemorandum in 2011 on information            handbook addresses the information\naccessibility, data security, and privacy    accessibility and data security gaps.\nconcerns that federal agencies should        However, contracting officials were\nconsider before entering into cloud          concerned that including the policy in\ncomputing contracts. The memorandum          existing cloud computing contracts could\nidentifies areas of concern for federal      increase contract costs. As a result, we\nagencies but is not mandatory for the        identified potential costs of $12,429,228\nPostal Service. In August 2013, the          for mitigating cloud security risks.\nPostal Service issued the Cloud\nSecurity handbook establishing               WHAT THE OIG RECOMMENDED:\ninformation security policies and            We recommended management include\nrequirements to protect its information in   Information Security and Cloud Security\na cloud computing environment.               handbook requirements in future cloud\n                                             computing contracts, regardless of data\nOur objective was to assess whether          sensitivity, and assess the costs and\ncloud computing contracts have               benefits of incorporating these\nadequate controls to address                 requirements into existing cloud\ninformation accessibility, data security,    computing contracts.\nand privacy concerns.\n                                             Link to review the entire report\n\x0cApril 30, 2014\n\nMEMORANDUM FOR:            SUSAN BROWNELL\n                           VICE PRESIDENT, SUPPLY MANAGEMENT\n\n                           CHARLES L. MCGANN\n                           MANAGER, CORPORATE INFORMATION SECURITY\n\n\n\n\nFROM:                      Michael A. Magalski\n                           Deputy Assistant Inspector General\n                            for Support Operations\n\nSUBJECT:                   Management Advisory Report \xe2\x80\x93 Cloud Computing Contract\n                           Clauses (Report Number SM-MA-14-005)\n\nThis report presents the results of our review of Cloud Computing Contract Clauses\n(Project Number 13YG033SM000).\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Monique P. Colter, director,\nSupply Management and Facilities, or me at 703-248-2100.\n\nAttachment\n\ncc: Corporate Audit and Response Management\n\x0cCloud Computing Contract Clauses                                                                                  SM-MA-14-005\n\n\n\n\n                                               TABLE OF CONTENTS\n\nIntroduction ..................................................................................................................... 1\n\nConclusion ...................................................................................................................... 1\n\nCloud Computing Contracts and Policy ........................................................................... 2\n\n      Information Accessibility ........................................................................................... 2\n\n      Data Security ............................................................................................................ 2\n\nRecommendations .......................................................................................................... 5\n\nManagement\xe2\x80\x99s Comments .............................................................................................. 5\n\nEvaluation of Management\xe2\x80\x99s Comments ......................................................................... 6\n\nAppendix A: Additional Information ................................................................................. 7\n\n      Background .............................................................................................................. 7\n\n      Objective, Scope, and Methodology ......................................................................... 7\n\n      Prior Audit Coverage ................................................................................................ 8\n\nAppendix B: Other Impact ............................................................................................... 9\n\nAppendix C: Management\xe2\x80\x99s Comments ........................................................................ 10\n\x0cCloud Computing Contract Clauses                                                                      SM-MA-14-005\n\n\n\n\nIntroduction\n\nThis report presents the results of our review of Cloud Computing Contract Clauses\n(Project Number 13YG033SM000). Our objective was to assess whether U.S. Postal\nService cloud computing contracts have adequate controls to address information\naccessibility, data security, and privacy concerns. See Appendix A for additional\ninformation about this review.\n\nCloud computing uses remote servers on the Internet to manage, store, and process\ndata. Using cloud computing reduces costs while increasing the efficiency of services;\nhowever, it also has risks associated with leakage of data and loss of public trust. Postal\nService Supply Management Technology Infrastructure Portfolio1 contracting officials\nawarded 13 contracts totaling about $303 million for cloud computing services from\nfiscal years (FY) 2007 to 2013. The Postal Service Information Security handbook2 of\n2002 was in effect when officials awarded these contracts.\n\nThe Council of Inspectors General on Integrity and Efficiency (CIGIE)3 issued a\nmemorandum in 2011 on the information accessibility, data security, and privacy\nconcerns federal agencies should consider before entering into cloud computing\ncontracts. The memorandum identifies areas of concern for federal agencies but is not\nmandatory for the Postal Service. In August 2013, the Postal Service issued policies4\nthat established information security procedures and requirements to protect its\ninformation in a cloud computing environment.\n\nConclusion\n\nThe 13 cloud computing contracts did not address information accessibility and data\nsecurity for network access and server locations. The version of Handbook AS-805 that\nwas in effect when officials awarded the contracts did not include these as\nrequirements. In addition, the Postal Service exempted a supplier from following the\nhandbook in one contract because the contract did not contain sensitive data. Although\ndata may not be sensitive, Handbook AS-805 provides additional requirements for\ninsurance against losses resulting from data breaches and making timely notification of\nthese breaches. Handbook AS-805H addressed the information accessibility and data\nsecurity gaps; however, contracting officials were concerned that including the policy in\nexisting cloud computing contracts could increase contract costs.\n\nContract language that inadequately addresses information accessibility and data\nsecurity concerns increase the risk of data compromises and system breaches. As a\n\n1\n  The Technology Infrastructure Portfolio is responsible for managing the purchase of technology-related products\nand services, such as retail systems, telecommunications, and information technology (IT) hardware and software.\n2\n  Handbook AS-805, Information Security, 2002.\n3\n  The CIGIE develops policies, standards, and approaches to aid in the establishment and training of the Offices of\nInspectors General.\n4\n  Handbook AS-805H, Cloud Security, August 2013.\n                                                            1\n\x0cCloud Computing Contract Clauses                                                                 SM-MA-14-005\n\n\n\nresult, we identified potential costs of $12,429,228 for mitigating cloud security risks.\nSee Appendix B for additional information on other impact.\n\nCloud Computing Contracts and Policy\n\nThe Postal Service included language in 13 cloud computing contracts to address\nprivacy concerns; however, it did not include adequate language to address information\naccessibility and data security for network access and server locations. The information\nsecurity policy in effect at that time did not include these requirements. In August 2013,\nthe Postal Service updated Handbook AS-805H to bridge gaps in the information\nsecurity policy.\n\nInformation Accessibility\n\nThe Postal Service did not require Cloud Service Providers (CSP) for all 13 contracts to\nstate the amount of access they should have to the network over which postal\ninformation and data travel. The Postal Service did not require real-time monitoring\ncapability and network access for the U.S. Postal Service Office of Inspector General\n(OIG) in one contract. The Postal Service should maintain access to the network to\nperform tests and ensure necessary access is available to security officials for\ninvestigative functions. It should also have real-time monitoring capability to guard\nagainst external attacks. OIG access is equally important when addressing information\naccessibility concerns. Supplying Principles and Practices (SP&P)5 gives the Postal\nService access to the CSP records; however, it does not specifically address OIG\naccess to the cloud network to audit and investigate programs and employees.\n\nData Security\n\nThe Postal Service did not require CSPs for all 13 contracts to provide the locations of\nall servers containing Postal Service data. In addition, the Postal Service did not include\nlanguage to address the following in one contract:\n\n\xef\x82\xa7   Incident Responsiveness \xe2\x80\x93 This ensures the vendor is aware of Postal Service\n    requirements for mitigation and notification of data breaches and loss. The Postal\n    Service should be aware of server locations and know where information is stored\n    for accountability.\n\n\xef\x82\xa7   Restricted Access \xe2\x80\x93 Restricting access to the servers and cloud data ensures that\n    only authorized individuals have access.\n\n\xef\x82\xa7   Vendor Indemnification \xe2\x80\x93 Vendors should indemnify6 the Postal Service from\n    accepting responsibility for the costs and liability of data breaches and loss.\n\n\n5\n  SP&P Clause 4-2, Contract Terms and Conditions Required to Implement Policies, Statutes or Executive Orders\n(July 2009).\n6\n  Indemnification protects the Postal Service by requiring CSPs to pay for possible future damage or loss.\n\n\n                                                       2\n\x0cCloud Computing Contract Clauses                                                                 SM-MA-14-005\n\n\n\n\xef\x82\xa7     Cloud Data Ownership \xe2\x80\x93 Although vendors may be responsible for the cloud\n      environment, the data belong to the Postal Service and contract language must\n      specify ownership and requirements for disposal of cloud data after contract\n      completion.\n\nThe CIGIE issued a memorandum7 in 2011 identifying potential concerns that federal\nagencies should consider before entering into cloud computing contracts. These\nconcerns are in the areas of data security, information accessibility, and regulatory\ncompliance. The memorandum identified sub-areas within the three major areas of\nconcern.8 Addressing these concerns would help prevent system breaches and data\nleaks and ensure access to information needed for investigations (see Table 1).\n\n                        Table 1. Cloud Computing Contract Concerns\n\n                                                                            Contracts           Contract\n    No.   Area of Concern                      Sub-Area                      at Risk             Value\n\n           Data Security               List of server locations\n    1.\n                                                                                       13 $303,313,273\n                                    Access to the network over\n            Information\n                                    which information and data\n    2.      Accessibility\n                                               travel\n            Information\n                                        Real-time monitoring\n    3.      Accessibility\n            Information\n    4.                                        OIG access\n            Accessibility\n    5.     Data Security               Vendor indemnification\n\n    6.     Data Security              Incident responsiveness\n                                                                                         1        $172,0809\n    7.     Data Security               Cloud data ownership\n\n    8.     Data Security                  Restricted access\n            Regulatory\n    9.                                           Privacy                                 0                 $0\n            Compliance\nSources: CIGIE memorandum and OIG analysis.\n\nAt the time the Postal Service awarded10 the 13 contracts, it had an information security\npolicy that addressed seven of the nine topics within the three major areas of concern\n7\n  Cloud Computing Contracting Concerns, 2011.\n8\n  The CIGIE memorandum listed eight major areas of concern. Our scope examined three major areas of concern\nbecause the remaining concerns overlapped topics addressed in those three areas or were addressed in the SP&P.\n9\n  One contract did not include Handbook AS-805, Information Security, requirements and did not address cloud\ncomputing concerns 3 through 9, as depicted in Table 1.\n10\n   The Postal Service awarded the 13 contracts from FYs 2007 to 2013.\n\n\n                                                       3\n\x0cCloud Computing Contract Clauses                                                                      SM-MA-14-005\n\n\n\nwe reviewed. However, the policy did not address access to the network over which\nPostal Service information and data travel or cloud server locations. Contracting officials\ndid not include the information security policy or SP&P Clause 4-19, Information\nSecurity, which references these policies,11 and other information security-related\nhandbooks in the contract language for one of the 13 contracts. Officials obtained a\nwaiver from the Corporate Information Security Office (CISO)12 excluding this contract\nfrom the provisions of Clause 4-19 because the contract did not contain sensitive\ninformation. Although the data may not have been considered sensitive, Clause 4-19\nprovides additional protections and should be in all IT contracts. Further, the CSP is a\n                                                             . Although the CISO\napproved a waiver excluding the clause, the Postal Service was still exposed to\nincreased data security and information accessibility risks as the data were housed\noutside the country. Postal Service policy requires all servers, including back-up\nservers, to be in the contiguous U.S.13\n\nIn August 2013, the Postal Service issued Handbook AS-805H, which bridged gaps in\nthe information security policy and incorporated Federal Risk and Authorization\nManagement Program (FedRAMP)14 certification requirements. It requires CSPs to\nprovide the Postal Service with their server locations and state the amount of access to\nthe network the Postal Service should retain. However, contracting officials stated they\ndid not plan to modify SP&P Clause 4-19 to include the requirements of the new cloud\nsecurity policy because they did not have guidance on cloud computing and did not\nreceive a request from the CISO to update the SP&P. Contracting officials also stated\nthey did not plan to modify existing contracts to include the increased security\nrequirements, such as compliance with FedRAMP, because it may require CSPs to\nchange their business processes or systems and would increase contract costs.\n\nTwo of the CSPs,15 whose three contracts totaled $136,114,238, are FedRAMP-\ncertified; therefore, the Postal Service should not be subject to additional costs for\nincorporating FedRAMP into the contracts. In addition,                              , a CSP\nto whom the Postal Service awarded a contract valued at $2 million in August 2013,\nvoluntarily proposed pursuing FedRAMP certification in its technical proposal, although\nit was optional in the solicitation.\n\nThe Postal Service's issuance of Handbook AS-805H shows that it is aware of the\nsignificant risks in using cloud computing services; however, without guidance on\nprocuring cloud computing contracts and contractual language requiring CSPs to\n\n11\n   Handbook AS-805 establishes policies to appropriately identify, classify, and protect Postal Service information\nresources.\n12\n   CISO establishes the overall strategic and operational plan for Postal Service information security programs and\nnecessary implementation strategies.\n13\n   AS-805H Section 8-3, Privacy Contract Requirements, states that data stored outside the U.S. cannot be protected\nunder the Privacy Act and may allow for certain local or foreign law enforcement authorities to search Postal Service\ndata pursuant to a court order, subpoena, or informal request outside the control of the Postal Service.\n14\n   A government-wide program established in December 2011 that standardizes how federal agencies incorporate\nsecurity assessment, authorization, and continuous monitoring for cloud computing contracts. Although exempt from\nthe program, the Postal Service choses to comply.\n15\n\n\n\n\n                                                          4\n\x0cCloud Computing Contract Clauses                                                SM-MA-14-005\n\n\n\ncomply with the new cloud security policy, the Postal Service remains exposed to\npotential information accessibility and data security risks in the cloud computing\nenvironment.\n\nThe Ponemon Institute, which conducts independent research on privacy, data\nprotection, and information security, issued a study on the cost of cyber crime.16 The\nstudy indicates that information theft, including theft of trade secrets and customer\ninformation, is the most critical consequence of a cyber attack. The loss of customer\ninformation could have an adverse effect on the goodwill of and impact on the Postal\nService brand. Additionally, the Ponemon study indicated the average cost to resolve a\ncyber attack is $1,035,769 per incident. Based on this information, we estimate the\nPostal Service\xe2\x80\x99s potential exposure costs associated with 1217 contracts could be as\nhigh as $12,429,228 (see Appendix B).\n\nRecommendations\n\nWe recommend the vice president, Supply Management, in coordination with the\nmanager, Corporate Information Security:\n\n1.      Include requirements from Handbook AS-805, Information Security, and Handbook\n        AS-805H, Cloud Security, in future cloud computing contracts regardless of data\n        sensitivity.\n\nWe recommend the vice president, Supply Management:\n\n2.      Assess the cost and benefits of negotiating post-award agreements with cloud\n        service providers to incorporate requirements from Handbook AS-805, Information\n        Security, and Handbook AS-805H, Cloud Security, into existing cloud computing\n        contracts.\n\nManagement\xe2\x80\x99s Comments\n\nManagement generally agreed with the finding, recommendations, and other impact\nassociated with this report.\n\nIn response to recommendation 1, management stated they have directed the IT\nSoftware, Services and Retail Systems and Telecom and Information Hardware\nCategory Management Centers to include Handbooks AS-805 and AS-805H in all new\ncloud-based contracts. However, Supply Management, in coordination with the CISO,\nwill issue guidance to all contracting officials and others in the Chief Information\nOfficer\xe2\x80\x99s office on incorporating the referenced handbooks; using appropriate clauses;\nand summarizing the necessity for information accessibility, data security for network\naccess, and capturing server location details in future cloud computing contracts. The\ntarget implementation date is June 2014.\n\n16\n     Ponemon Institute 2013 Cost of Cyber Crime: United States, October 2013.\n17\n     We excluded one contract from our calculation because it had expired.\n\n\n                                                          5\n\x0cCloud Computing Contract Clauses                                              SM-MA-14-005\n\n\n\n\nRegarding recommendation 2, management will obtain the pricing impact of modifying\nthe 13 contracts identified in this report to include Handbooks AS-805 and AS-805H\nrequirements. Contracting officials and the requirements office will assess the\nassociated costs to determine whether the benefits of including the handbooks'\nrequirements in the contract outweigh the additional cost. The target implementation\ndate is July 2014. See Appendix C for management\xe2\x80\x99s comments, in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to the recommendations and\ncorrective actions should resolve the issues identified in the report. The OIG considers\nall the recommendations significant, and therefore requires OIG concurrence before\nclosure. Consequently, the OIG requests written confirmation when corrective actions\nare completed. These recommendations should not be closed in the Postal Service\xe2\x80\x99s\nfollow-up tracking system until the OIG provides written confirmation that the\nrecommendations can be closed.\n\n\n\n\n                                            6\n\x0cCloud Computing Contract Clauses                                                                    SM-MA-14-005\n\n\n\n\n                                Appendix A: Additional Information\n\nBackground\n\nCloud computing is the practice of using remote servers on the Internet to manage,\nstore, and process data. The Postal Service Supply Management Technology\nInfrastructure Portfolio's contracting officials awarded 13 contracts totaling about\n$303 million for cloud computing services from FYs 2007 to 2013.\n\nThe CIGIE issued a memorandum in 2011 outlining the concerns that federal agencies\nmust be aware of before entering into cloud computing contracts. The memorandum\nidentified eight areas of concern \xe2\x80\x93 information accessibility, data security, regulatory\ncompliance, termination and transition, asset availability, maintenance, pricing and time,\nand intellectual property. Our review focused on three areas \xe2\x80\x93 information accessibility,\ndata security, and regulatory compliance related to privacy.\n\nFedRAMP supplements the National Institute of Standards and Technology's18 (NIST)\nSpecial Publications, which provide federal agencies with a information systems risk\nmanagement framework. Several agencies, including the U.S. Department of Homeland\nSecurity, U.S. Department of Defense, and U.S. General Services Administration,\ncoordinated the development of FedRAMP. In December 2011, before the\nestablishment of FedRAMP, each agency developed and incorporated cloud security\nmeasures into its own contract. Severe overlap and inefficiency existed because each\nagency managed its own security risks and provided security assessments and\nauthorizations for each IT system used. This was costly and inefficient as agencies may\nhave assessed, authorized, and deployed the same system. FedRAMP security\nprotocols provide one-stop shopping for federal agencies and CSP with a process that\nis completed once but used many times.\n\nObjective, Scope, and Methodology\n\nOur objective was to assess whether the Postal Service\xe2\x80\x99s cloud computing contracts\nhave adequate controls to address information accessibility, data security, and privacy\nconcerns. Our scope was limited to 13 cloud computing contracts identified by the\nSupply Management Technology Infrastructure Portfolio that were awarded between\nFYs 2007 and 2013. To accomplish our objective, we:\n\n\xef\x82\xa7    Reviewed Postal Service policies, procedures, and guidelines related to audits,\n     investigations, and privacy.\n\n\xef\x82\xa7    Reviewed federal government laws and regulations.\n\n\n\n18\n  NIST is responsible for developing standards and guidelines, including minimum requirements, for providing\nadequate information security for all federal agencies.\n\n\n                                                         7\n\x0cCloud Computing Contract Clauses                                                SM-MA-14-005\n\n\n\n\xef\x82\xa7   Reviewed the CIGIE IT Subcommittee memorandum on cloud computing contracting\n    concerns.\n\n\xef\x82\xa7   Reviewed the CIGIE IT Subcommittee\xe2\x80\x99s proposed Federal Acquisition Regulation\n    clause addendum.\n\n\xef\x82\xa7   Reviewed documentation for 13 cloud computing contracts to determine whether\n    Postal Service contracting officials:\n\n    o Solicited contracts with FedRAMP requirements.\n\n    o Included security requirements that protect the Postal Service cloud contracts.\n\n    o Included language in cloud computing contracts allowing equal accessibility\n      requirements for the OIG.\n\n\xef\x82\xa7   Interviewed OIG Office of General Counsel and IT staff to learn about the\n    applicability of FedRAMP requirements to the Postal Service.\n\nWe conducted this review from August 2013 through April 2014, in accordance with the\nCIGIE, Quality Standards for Inspection and Evaluation. We discussed our observations\nand conclusions with management on April 7, 2014, and included their comments where\nappropriate.\n\nWe assessed the reliability of computer-generated data by comparing the contract\nvalues obtained from the Postal Service's Enterprise Data Warehouse to hard copy\ncontract documentation. We determined that the data were sufficiently reliable for the\npurposes of this report.\n\nPrior Audit Coverage\n\nThe OIG issued Cloud Computing (Report Number IT-AR-12-006, dated May 9, 2012),\nwhich concluded that opportunities exist for the Postal Service to use cloud computing\ntechnology to support IT operations, resources, and infrastructure. However, no\noverarching adoption strategies exist to determine which cloud deployment or service\nmodels are best suited for current IT operations or resources. The Postal Service did\nnot have a consistent strategy or approach for determining the risks and benefits of\nimplementing cloud computing technology. The OIG made three recommendations,\nincluding development of a common definition for cloud computing technology within the\nPostal Service and a cloud computing technology strategy. Management agreed with\nthe findings and recommendations.\n\n\n\n\n                                            8\n\x0cCloud Computing Contract Clauses                                                                        SM-MA-14-005\n\n\n\n\n                                         Appendix B: Other Impact\n\n            Recommendation                          Impact Category                        Amount\n                  1                                   IT Security19                       $12,429,228\n\nWe calculated other impact based on 12 potential applications at risk20 and the\nPonemon Institute\xe2\x80\x99s 2013 research report,21 which revealed the average cost per\nbreach to an organization ($1,035,769). Each contract represents a separate Postal\nService application. We derived the total other impact by multiplying $1,035,769 by 12\n(the number of applications at risk) because the active contracts did not include\nadequate contract language to address information accessibility and data security\nconcerns.\n\n\n\n\n19\n   IT security includes computer software, networks, and data that are vulnerable or at risk of loss because of fraud,\ninappropriate or unauthorized disclosure of sensitive data, or disruption of critical Postal Service operations and\nservices.\n20\n   The Supply Management Technology Infrastructure Portfolio manager provided a list of 13 cloud computing\ncontracts in September 2013. We excluded one contract from our calculation because it had expired.\n21\n   Ponemon Institute, 2013 Cost of Cyber Crime: United States, October 2013.\n\n\n                                                           9\n\x0cCloud Computing Contract Clauses                             SM-MA-14-005\n\n\n\n\n                         Appendix C: Management\xe2\x80\x99s Comments\n\n\n\n\n                                        10\n\x0cCloud Computing Contract Clauses        SM-MA-14-005\n\n\n\n\n                                   11\n\x0c"